[openstack-glance/f17] Security fix realted to CVE-2013-0212

Nikola Dipanov ndipanov at fedoraproject.org
Tue Jan 29 16:21:11 UTC 2013 

commit 58bb2152edd4328674cd74339be47c073bf9ddbb
Author: Nikola Dipanov <ndipanov at redhat.com>
Date:   Tue Jan 29 16:51:47 2013 +0100

    Security fix realted to CVE-2013-0212

 ...end_password_leak_in_Glance_error_message.patch |   64 ++++++++++++++++++++
 openstack-glance.spec                              |    7 ++-
 2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/0006-Backend_password_leak_in_Glance_error_message.patch b/0006-Backend_password_leak_in_Glance_error_message.patch
new file mode 100644
index 0000000..2d95ce1
--- /dev/null
+++ b/0006-Backend_password_leak_in_Glance_error_message.patch
@@ -0,0 +1,64 @@
+diff --git a/glance/store/swift.py b/glance/store/swift.py
+index ae3a626..7d94d45 100644
+--- a/glance/store/swift.py
++++ b/glance/store/swift.py
+@@ -109,7 +109,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+                     "like so: "
+                     "swift+http://user:pass@authurl.com/v1/container/obj"
+                     )
+-            logger.error(_("Invalid store uri %(uri)s: %(reason)s") % locals())
++            logger.error(_("Invalid store URI: %(reason)s") % locals())
+             raise exception.BadStoreUri()
+ 
+         pieces = urlparse.urlparse(uri)
+@@ -139,8 +139,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+             # the account and user. Combine them into a single username of
+             # account:user
+             if len(cred_parts) == 1:
+-                reason = (_("Badly formed credentials '%(creds)s' in Swift "
+-                            "URI") % locals())
++                reason = (_("Badly formed credentials in Swift URI."))
+                 logger.error(reason)
+                 raise exception.BadStoreUri()
+             elif len(cred_parts) == 3:
+@@ -161,7 +160,7 @@ class StoreLocation(glance.store.location.StoreLocation):
+                 path_parts.insert(0, netloc)
+                 self.authurl = '/'.join(path_parts)
+         except IndexError:
+-            reason = _("Badly formed Swift URI: %s") % uri
++            reason = _("Badly formed Swift URI.")
+             logger.error(reason)
+             raise exception.BadStoreUri()
+ 
+@@ -265,8 +264,8 @@ class Store(glance.store.base.Store):
+         except swift_client.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_store_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                         "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+@@ -464,7 +463,7 @@ class Store(glance.store.base.Store):
+         except swift_client.ClientException, e:
+             if e.http_status == httplib.CONFLICT:
+                 raise exception.Duplicate(_("Swift already has an image at "
+-                                          "location %s") % location.get_uri())
++                                          "this location."))
+             msg = (_("Failed to add object to Swift.\n"
+                    "Got error from Swift: %(e)s") % locals())
+             logger.error(msg)
+@@ -513,8 +512,8 @@ class Store(glance.store.base.Store):
+         except swift_client.ClientException, e:
+             if e.http_status == httplib.NOT_FOUND:
+                 uri = location.get_store_uri()
+-                raise exception.NotFound(_("Swift could not find image at "
+-                                         "uri %(uri)s") % locals())
++                msg = _("Swift could not find image at URI.")
++                raise exception.NotFound(msg)
+             else:
+                 raise
+ 
+
diff --git a/openstack-glance.spec b/openstack-glance.spec
index c93c214..2d77da6 100644
--- a/openstack-glance.spec
+++ b/openstack-glance.spec
@@ -1,6 +1,6 @@
 Name:             openstack-glance
 Version:          2012.1.2
-Release:          2%{?dist}
+Release:          3%{?dist}
 Summary:          OpenStack Image Service
 
 Group:            Applications/System
@@ -19,6 +19,7 @@ Source3:          openstack-glance.logrotate
 Patch0003: 0003-Ensure-image-owned-by-user-before-delayed_deletion.patch
 Patch0004: 0004-Don-t-access-the-net-while-building-docs.patch
 Patch0005: 0005-Support-DB-auto-create-suppression.patch
+Patch0006: 0006-Backend_password_leak_in_Glance_error_message.patch
 
 BuildArch:        noarch
 BuildRequires:    python2-devel
@@ -100,6 +101,7 @@ This package contains documentation files for glance.
 %patch0003 -p1
 %patch0004 -p1
 %patch0005 -p1
+%patch0006 -p1
 
 sed -i '/\/usr\/bin\/env python/d' glance/common/config.py glance/registry/db/migrate_repo/manage.py
 
@@ -231,6 +233,9 @@ fi
 %doc doc/build/html
 
 %changelog
+* Tue Jan 29 2013 Nikola Đipanov <ndipanov at redhat.com> - 2012.1.2-3
+- Fix Backend password leak in Glance error message (CVE-2013-0212) 
+
 * Mon Nov 12 2012 Pádraig Brady <P at draigBrady.com> - 2012.1.2-2
 - Fix Glance Authentication bypass for image deletion (CVE-2012-4573)

More information about the scm-commits mailing list